Hooded hacker of the solar winds hack concept / Shutterstock On 26 Feb, the hearing on the hack linked to vulnerabilities in SolarWinds '...
 |
| Hooded hacker of the solar winds hack concept / Shutterstock |
"Damage assessment` will be based on email, "said Kevin Man Dia, CEO of Fire Eye. "How this information is used - we don't know. This is a problem. We must seize all content, as well as all of these contents. Solar Winds CEO Sudhakar Ramakrishna said his company close to understanding how malware is injected into the update of the Orion IT management software product.
He said they `focus on three possibilities. One is a password spray; the other is the certificate of theft, and the third is a vulnerability of third-party software used in its internal infrastructure. Like other companies, we also use a lot of third-party software, at this point, we look at it from these three dimensions. We are assessing several petabytes of data to be able to sift through this in the hopes that we can pinpoint patient zero in this context," Ramakrishna.
Witnesses tell legislators, once hackers entered the network, they used the mistakes in basic network security practices to expand their scope. Smith says that they are likely to access the accounts of the Ministry of Justice using methods such as stealing passwords. Some legislators also put forward some problems, such as how to take the initiative to find the security threats in the network.
The ability of the Cybersecurity and Information Security Agency to conduct threat hunting on federal agency networks, as provided by the 2021 National Defense Authorization Act, is "exactly the right thing to do," Mandia said. Rep. Gerry Connolly (D-Va.) asked how the federal government can support private companies that threaten hunt on federal networks.
The most important step will be centralized cyber breach reporting, Smith told him, as well as sharing information back out to the private sector. The area will need more legislation, he said. One hurdle Congress will also need to address is the ways that agencies restrict contractors from sharing their cybersecurity information about what they are seeing with other parts of the federal government.
"One of the specific things that we had to do in December was going to each agency, tell them that we had identified that they were a victim of this, and then we had to say, 'You need to go over to this person in the other part of the government to let them know. Please do that, we cannot do that for you,'" Smith explained.
"Some of the largest companies in our industry, that are well-known to have been involved in this that still have not spoken publicly about what they know," Smith said. "There's no indication that they even informed customers. And I'm worried that … to some degree, some other companies, some of our competitors even, just didn't look very hard."
To address that gap, Rep. Michael McCaul (R-Texas) announced that he and Langevin are working on a bill that would establish CISA as a kind of clearinghouse for breach notification. By removing sources, methods, and company names from reporting data, the legislation would protect companies from market repercussions, McCaul said.
Witnesses told lawmakers that once hackers were in a network, they were able to take advantage of lapses in basic cybersecurity practices to expand their reach. It’s likely they were able to access Justice Department accounts using methods like stealing passwords, Smith said. Some lawmakers also asked questions about threat hunting, the practice of proactively looking for cyber threats in a network.